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I. Executive Summary 

This document is intended primarily to further the risk management education of 
candidates for membership in the Casualty Actuarial Society (CAS). Current members of 
the CAS as well as other risk management professionals should also find this material of 
interest. 

In Chapter II, the evolution to and rationale for enterprise risk management (ERM) is 
explained. The “ERM movement” is driven by both internal (e.g., competitive 
advantage) and external (e.g., corporate governance) pressures - pressures that are both 
fundamental and enduring. 

Chapter III defines ERM for CAS purposes, and lays out its conceptual framework. The 
definition makes clear that ERM is a value-creating discipline. The framework describes 
both the categories of risk and the types of risk management processes covered by ERM. 
ERM is seen to extend well beyond the hazard risks with which casualty actuaries are 
particularly familiar, and well beyond the quantification of risks with which they are 
particularly skilled - but it is clear that the casualty actuarial skill set is extremely well- 
suited to the practice of ERM. ERM also extends well beyond the insurance industry, 
which presents a distinct opportunity for casualty actuaries to continue to expand their 
career horizons and take leadership roles in these varied industries. 

The vocabulary of ERM is established in Chapter IV, which also describes the measures, 
models and tools supporting the discipline. The close linkage between ERM and 
corporate performance management is made clear in this discussion. Dynamic Financial 
Analysis (DFA) is introduced, along with alternative approaches to capture hazard and 
financial risks, and their roles within an ERM context is explained. Models that treat 
operational and strategic risks are also discussed. Applications of these measures, models 
and tools to support management decision-making are outlined at the conclusion of this 
chapter. 

With the conceptual and technical foundations of ERM thus established, Chapters V and 
VI turn to the actual practice of ERM. Chapter V presents relevant case studies from 
various industries, and Chapter VI offers some practical considerations in implementing 
ERM. 

For the reader interested in pursuing additional sources of learning on the subject, a 
bibliography of existing literature on ERM and its key components is included in 
Appendix C. (A continually updated, annotated and topically-organized road map 
through the literature can be found on the CAS Web site at 
http://www.casact.org/research/erm/.) 

Enterprise risk management is a “big idea”. Among other things, ERM can be viewed as 
the broad conceptual framework that unifies the many varied parts of the actuarial 
discipline. ERM provides a logical structure to link these subject areas together in a 
compelling way to form an integrated whole. In so doing, ERM addresses critical 
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business issues such as growth, return, consistency and value creation. It expresses risk 
not just as threat, but as opportunity - the fundamental reason that business is conducted 
in a free enterprise system. Through ERM, the clear linkage between business 
fundamentals and actuarial theory and practice should engage students and professionals 
from various backgrounds in the study of actuarial science - a logical career strategy in a 
global business environment that has embraced ERM as a modern management 
discipline. 
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II. The ERM Evolution 

Organizations have long practiced various parts of what has come to be called enterprise 
risk management. Identifying and prioritizing risks, either with foresight or following a 
disaster, has long been a standard management activity. Treating risks by transfer, 
through insurance or other financial products, has also been common practice, as has 
contingency planning and crisis management. 

What has changed, beginning very near the close of the last century, is treating the vast 
variety of risks in a holistic manner, and elevating risk management to a senior 
management responsibility. Although practices have not progressed uniformly through 
different industries and different organizations, the general evolution toward ERM can be 
characterized by a number of driving forces. We discuss these characteristic forces 
below. 

More - and More Complicated - Risks 

First of all, there is a greater recognition of the variety, the increasing number, and the 
interaction of risks facing organizations. Hazard risks such as the threat of fire to a 
production facility or liability from goods and services sold have been actively managed 
for a long time. Financial risks have grown in importance over the past number of years. 
New risks emerge with the changing business environment (e.g., foreign exchange risk 
with growing globalization). More recently, the awareness of operational and strategic 
risks has increased due to a succession of high-profile cases of organizations crippled or 
destroyed by failure of control mechanisms (e.g., Barings Bank, Enron) or by insufficient 
understanding of the dynamics of their business (e.g., Long Term Capital Management, 
General American Insurance Company). The advance of technology, the accelerating 
pace of business, globalization, increasing financial sophistication and the uncertainty of 
irrational terrorist activity all contribute to the growing number and complexity of risks. 

It is reasonable to expect that this trend will continue. 

Organizations have come to recognize the importance of managing all risks and their 
interactions, not just the familiar risks, or the ones that are easy to quantify. Even 
seemingly insignificant risks on their own have the potential, as they interact with other 
events and conditions, to cause great damage. 

External Pressures 


Motivated in part by the well-publicized catastrophic failures of corporate risk 
management cited above, regulators, rating agencies, stock exchanges, institutional 
investors and corporate governance oversight bodies have come to insist that company 
senior management take greater responsibility for managing risks on an enterprise-wide 
scale. These efforts span virtually every country in the civilized world. A sampling of 
these requirements and guidelines has been compiled in Appendix A. 
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In addition to these codified pressures, publicly traded companies are well aware of the 
increasingly vocal desire of their shareholders for stable and predictable earnings, which 
is one of the key objectives of ERM for many organizations. 

Portfolio Point of View 


Another characteristic force is the increasing tendency toward an integrated or holistic 
view of risks. Developments in finance (i.e., Modern Portfolio Theory) provide a 
framework for thinking about the collective risk of a group of financial instruments and 
an individual security’s contribution to that collective risk. With ERM, these concepts 
have been generalized beyond financial risks to include risks of all kinds, i.e., beyond a 
portfolio of equity investments to the entire collection of risks an organization faces. A 
number of principles follow from this thinking, including: 

■ Portfolio risk is not the simple sum of the individual risk elements. 

■ To understand portfolio risk, one must understand the risks of the individual elements 
plus their interactions. 

■ The portfolio risk, or risk to the entire organization, is relevant to the key risk 
decisions facing that organization. 

The implications of these principles are having a significant impact on the practice of 
ERM. There is growing recognition that risks must be managed with the total 
organization in mind. To do otherwise (sometimes referred to as managing risk within 
“silos”) is inefficient at best, and can be counter-productive. For example, certain risks 
can represent “natural hedges” against each other (if they are sufficiently negatively 
correlated). A classic case is that of an insurer selling both life insurance and annuity 
business to similarly situated customers and thereby naturally hedging away its mortality 
risk. To separately hedge mortality risk on these products (e.g., through reinsurance) 
would be cost inefficient and entirely unnecessary. Another example is that of a global 
conglomerate with one of its divisions long in a certain foreign currency and another 
short in the same currency. Separate currency hedges, while seemingly advisable from 
the point of view of the individual division heads, are unreasonable for the enterprise as a 
whole. 

A holistic approach helps give organizations a true perspective on the magnitude and 
importance of different risks. 

Quantification 

A fourth characteristic force, closely tied to the third, is the growing tendency to quantify 
risks. Advances in technology and expertise have made quantification easier, even for 
the infrequent, unpredictable risks that historically have been difficult to quantify. 
Following a series of natural disasters, most notably hurricane Andrew in 1992, the 
practice of catastrophe modeling arose and is now a standard practice in insurance 
companies. This combination of meteorological (in the case of hurricane modeling), 
structural engineering, insurance and technological expertise leading to probabilistic 
models is a huge advancement over previous quantification attempts. By the end of the 
twentieth century, insurance and reinsurance companies routinely measured their 
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exposure to hurricanes, earthquakes and other natural disasters with a greater degree of 
precision leading to a greater confidence in the ability to manage the exposure. More 
recently, such exposure-based quantification of exposure to losses has been extended to 
even less predictable, man-made disasters such as terrorist attacks. 

The emergence of Value-at-Risk as a regulatory and management standard in the 
financial services industry has been aided by the speed and ease in measuring certain 
financial risks. Data is collected constantly allowing risk profiles to be adjusted as 
portfolios and market conditions change. This gives financial institutions and the 
regulatory bodies that oversee them a level of confidence in their ability to take actions to 
operate within established parameters. 

Despite these advances, there will always remain risks that are not easily quantifiable. 
These include risks that are not well defined, unpredictable as to frequency, amount or 
location, risks subject to manipulation and human intervention, and newer risks. Man- 
made risks, operational and strategic risks are examples of these. Operational risk is a 
general category for a wide variety of risks, many of which are influenced by people and 
many of which do not have a long historical record. The tendency to quantify exposure 
to all these risks will certainly continue. 

In the same way there has been a continuing effort to better quantify individual risks, 
there is a growing effort to quantify portfolio risk. This effort is much more difficult 
because in addition to individual risks, one must quantify or explain interactions between 
individual risk elements. This can be extremely complex and challenging. However, 
there often is not the need for a great deal of precision; even a directionally correct 
answer may be valuable. The attempt at quantification allows the organization to analyze 
“what if’ scenarios. They are able to estimate the magnitude of risk or degree of 
dependency with other risks sufficiently to make informed decisions. Further, simply 
going through the quantification process gives people a better qualitative perspective of 
the risk. They may gain insight as to the likelihood or severity of the risk or to ways to 
prevent or mitigate the exposure. 

Boundaryless Benchmarking 

A fifth characteristic force pertains to scope. Common ERM practices and tools are 
shared across a wide variety of organizations and across the globe. The process, tools, 
and procedures laid out in this overview are not limited to the insurance or even financial 
service industries but rather are common to many organizations. Information sharing has 
been aided by technology but perhaps more importantly, because these practices are 
transferable across organizations. Organizations have become quite willing to share 
practices and efficiency gains with others with whom they are not direct competitors. 

An example of a phenomenon common to many organizations and having risk 
management implications is real options. Many organizations face operating and 
strategic situations where events are uncertain, players make initial investments to get in 
the game and then have the opportunity to make successive investments contingent on 
future events. The drug approval process in the pharmaceutical industry is an example 
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where organizations face options-like decisions (see Chapter V). Option pricing 
techniques provide organizations with a means of better thinking about and managing 
these risks. 

Different industries and organizations will continue to develop and employ variations of 
ERM. Different risks will be more or less important to organizations and risk 
management practices will differ in particular ways that best suit the organization, but 
there will be general concepts and broad general practices and techniques that are 
recognized and employed by organizations throughout the world. 

Risk as Opportunity 

A sixth characteristic force pertains to the outlook organizations have toward risk. In the 
past, organizations tended to take a defensive posture towards risks, viewing them as 
situations to be minimized or avoided. Increasingly, organizations have come to 
recognize the opportunistic side, the value-creating potential of risk. While avoidance or 
minimization remain legitimate strategies for dealing with certain risks, by certain 
organizations at certain times, there is also the opportunity to swap, keep, and actively 
pursue other risks because of confidence in the organization’s special ability to exploit 
those risks. 

There are a number of reasons for this shift in attitude. Over time and with practice, 
organizations have become more familiar with and more capable of managing the risks 
they face. They develop expertise in managing those risks both because of familiarity 
and confidence in the organization’s abilities. As a result, they may keep their own 
exposure and seek out opportunities to assume other organization’s risks. Over time, 
better infonnation about risk has become available. This has led to new markets for 
trading risks and more information about the cost of risks. This has allowed 
organizations to better evaluate risk and return trade-offs and see that the costs of transfer 
sometime outweigh the benefits. In addition, the existence of risk-trading markets 
contributes to a greater degree of confidence. Organizations can adopt a more aggressive 
stance if they kn ow they can switch to a defensive stance quickly, if needed. 

In some cases organizations seek out risks to increase diversification, realizing that the 
addition of some risks may have a minimal impact on overall risk, or in the case of 
hedges, may decrease enterprise risks. In essence, there is a realization that risk is not 
completely avoidable and, in fact, infonned risk-taking is a means to competitive 
advantage. 

Summary 

It is reasonable to expect that the forces cited above will continue. Accordingly, risk 
management practices will become more and more sophisticated. As capabilities 
continue to improve, organizations will increasingly adopt ERM because they can. 
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Note : For additional thoughts on the subject of this chapter, see Lisa K. Meulbroek, 
“Integrated Risk Management for the Firm: A Senior Manager’s Guide”, Harvard 
Business School’s Division of Research Working Papers 2001-2002, 
http://www.hbs.edu/research/facpubs/workingpapers/papers2/0102/02-046.pdf 
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III. ERM Definition and Conceptual Framework 

Definition 


Several texts and periodicals have introduced or discussed concepts such as “strategic 
risk management”, “integrated risk management” and “holistic risk management”. 

These concepts are similar to, even synonymous with, ERM in that they all emphasize a 
comprehensive view of risk and risk management, a movement away from the “silo” 
approach of managing different risks within an organization separately and distinctly, and 
the view that risk management can be a value-creating, in addition to a risk-mitigating, 
process. 

The CAS Committee on Enterprise Risk Management has adopted the following 
definition of ERM: 

“ERM is the discipline by which an organization in any industry 
assesses, controls, exploits, finances, and monitors risks from all 
sources for the purpose of increasing the organization’s short- and 
long-term value to its stakeholders.” 

Several parts of this definition merit individual attention. First, ERM is a discipline. 

This is meant to convey that ERM is an orderly or prescribed conduct or pattern of 
behavior for an enterprise, that it has the full support and commitment of the management 
of the enterprise, that it influences corporate decision-making, and that it ultimately 
becomes part of the culture of that enterprise. Second, ERM, even as it is defined for 
CAS purposes, applies to all industries, not just the property/casualty insurance industry 
with which casualty actuaries are intimately familiar. Third, the specific mention of 
exploiting risk as a part of the risk management process (along with the stated objective 
of increasing short- and long-term value) demonstrates that the intention of ERM is to be 
value creating as well as risk mitigating. Fourth, all sources of risk are considered, not 
only the hazard risk with which casualty actuaries are particularly familiar, or those 
traditionally managed within an enterprise (such as financial risk). Lastly, ERM 
considers all stakeholders of the enterprise, which include shareholders and debtholders, 
management and officers, employees, customers, and the community within which the 
enterprise resides. 

Implicit in this definition is the recognition of ERM as a strategic decision support 
framework for management. It improves decision-making at all levels of the 
organization. 

Conceptual Framework 

A useful way to conceptualize ERM is along two dimensions: one spanning the types of 
risk included, and the other spanning the various risk management process steps, as 
below: 
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ERM Framework 

Process Steps 

Types of Risk 

Hazard 

Financial 

Operational 

Strategic 

Establish Context 


Identify Risks 





Analyze/Quantify Risks 





Integrate Risks 


Assess/Prioritize Risks 





Treat/Exploit Risks 





Monitor & Review 



In discussing these risk types and process steps, we will consider an enterprise, the 
Coldhard Steel Company (“Coldhard Steel”), which manufactures steel products, such as 
roller and ball bearings, used in other industrial machinery. Coldhard Steel operates in 
the “rust belt” of the midwestern U.S., is family-owned, and has a unionized labor force. 

Types of Risk 

Coldhard Steel is exposed to a number of hazard risks. First-party hazard risks include 
the possibility of fire or tornadoes damaging its plant and equipment, and the resulting 
loss of revenue (i.e., business interruption). Second-party hazard risks include injury or 
illness to its employees, including work-related injuries that would result in workers 
compensation claims. Given Coldhard Steel’s use of heavy machinery, as well as the 
benefit provisions in its principal state of operation, Coldhard Steel’s workers 
compensation exposure is substantial. Third-party hazard risk would include the 
possibility of slips and falls of visitors on its premises, products recall and/or products 
liability from defective products produced by Coldhard Steel. 

Since Coldhard Steel has significant sales in Latin America and Europe, it is exposed to 
foreign exchange risk, one of many financial risks. Coldhard Steel is tangentially 
exposed to additional foreign exchange risk in that even though it buys its steel from U.S. 
manufacturers, these prices are influenced by imported steel. Other financial risks for 
Coldhard Steel to consider are commodity risk (due to possible changes in prices in the 
raw materials it and its suppliers use in production) and credit risk (due to its significant 
accounts receivables asset). 

Since many employees are in the local machinists union, labor relations represents a 
significant operational risk for Coldhard Steel. Also, since the company is privately 
held, succession planning is critical for the time when the current owner either sells the 
company or passes down control to heirs. Coldhard Steel spends considerable time 
assessing the efficiency and reliability of its machines and processes. 

Strategic risks for Coldhard Steel include fluctuations in the demand and the market 
price for its finished products (and substitute products), competition from suppliers of 
other steel products, regulatory/political issues associated with the steel industry, and 
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technological advances in its customers’ machines that could potentially render Coldhard 
Steel’s current products obsolete. 

In general, enterprises (like and unlike Coldhard Steel) are exposed to risks that can be 
categorized into the following four types: 

■ Hazard Risks include risks from: 

□ fire and other property damage, 

□ windstorm and other natural perils, 

□ theft and other crime, personal injury, 

□ business interruption, 

□ disease and disability (including work-related injuries and diseases), and 

□ liability claims. 

■ Financial Risks include risks from: 

□ price (e.g. asset value, interest rate, foreign exchange, commodity), 

□ liquidity (e.g. cash flow, call risk, opportunity cost), 

□ credit (e.g. default, downgrade), 

□ inflation/purchasing power, and 

□ hedging/basis risk. 

■ Operational Risks include risks from: 

□ business operations (e.g., human resources, product development, capacity, 
efficiency, product/service failure, channel management, supply chain 
management, business cyclicality), 

□ empowerment (e.g., leadership, change readiness), 

□ information technology (e.g., relevance, availability), and 

□ information/business reporting (e.g., budgeting and planning, accounting 
information, pension fund, investment evaluation, taxation). 

■ Strategic Risks include risks from: 

□ reputational damage (e.g., trademark/brand erosion, fraud, unfavorable publicity) 

□ competition, 

□ customer wants, 

□ demographic and social/cultural trends, 

□ technological innovation, 

□ capital availability, and 

□ regulatory and political trends. 

The precise slotting of individual risk factors under each of these four categories is less 
important than the recognition that ERM covers all categories and all material risk factors 
that can influence the organization’s value. 
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Process Steps 

The following steps of the risk management process, which are based on those originally 
detailed in the Australian/New Zealand Standard in Risk Management (AS/NZS 4360), 
describe seven iterative elements. 



■ Establish Context - This step includes External, Internal and Risk Management 
Contexts. 

□ The External Context starts with a definition of the relationship of the enterprise 
with its environment, including identification of the enterprise’s strengths, 
weaknesses, opportunities, and threats (“SWOT analysis”). This context-setting 
also identifies the various stakeholders (shareholders, employees, customers, 
community), as well as the communication policies with these stakeholders. 

□ The Internal Context starts with an understanding of the overall objectives of the 
enterprise, its strategies to achieve those objectives and its key perfonnance 
indicators. It also includes the organization’s oversight and governance structure. 

□ The Risk Management Context identifies the risk categories of relevance to the 
enterprise and the degree of coordination throughout the organization, including 
the adoption of common risk metrics. 

Returning to our example, Coldhard Steel has fonned a Risk Management Committee 
that is headed by its chief financial officer, with representatives from loss 
control/safety, quality control, human resources, marketing, and finance. In 
consideration of the makeup of its labor force, a representative from the labor union is 
invited periodically to meetings. In terms of establishing common criteria for 
assessing all risks, Coldhard Steel adopted a Value at Risk approach, with an annual 
timeframe. 

■ Identify Risks - This step involves documenting the conditions and events (including 
“extreme events”) that represent material threats to the enterprise’s achievement of its 
objectives or represent areas to exploit for competitive advantage. 

In our example, Coldhard Steel has used a variety of methods (e.g., surveys, internal 
workshops, brainstorming sessions and internal auditing) to identify the significant 
hazard, financial, operational and strategic risks described in the previous section. 
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■ Analyze/Quantify Risks - This step involves calibrating and, wherever possible, 
creating probability distributions of outcomes for each material risk. This step 
provides necessary input for subsequent steps, such as integrating and prioritizing 
risks. Analysis techniques range along a spectrum from qualitative to quantitative, 
with sensitivity analysis, scenario analysis, and/or simulation analysis applied where 
appropriate. 

As indicated previously, workers compensation represents a significant hazard risk 
for Coldhard Steel. However, it has a number of years of claims and exposure data, 
and, based on quantitatively extrapolating cost trends into the future, Coldhard Steel’s 
consulting actuaries are able to detennine reasonable expectations of costs and 
variability of these costs into the near future. 

Coldhard Steel regularly monitors its account sales and accounts receivables, 
including perfonning credit analysis on its largest customers before extending 
additional credit. Although all sales are transacted in U.S. dollars, orders from 
Mexico generate 10 percent of all sales, and Coldhard Steel’s financial analysts have 
considered hedging against devaluations in the Mexican peso. 

Coldhard Steel’s labor contract expires in three years, and although relations with the 
employees and union are considered good, senior management has asked its human 
resources to construct “best case”, “expected” and “worst case” estimates of salary 
and benefit increases anticipated to be requested by labor. As part of the worst case 
scenario, management has asked its finance department to estimate the impacts of a 
prolonged labor dispute and its effects on revenue, expenses and inventories. 

Coldhard Steel buys its steel from U.S. manufacturers, even though some of its 
competitors are taking advantage of cheaper foreign steel. Coldhard Steel is actively 
monitoring political discussions to gauge the likelihood that additional tariffs will be 
imposed on foreign steel in the near future. Coldhard Steel also monitors price levels 
for its finished products in relationship to the cost of its raw materials, products of its 
competitors, and substitute products. 

■ Integrate Risks - This step involves aggregating all risk distributions, reflecting 
correlations and portfolio effects, and expressing the results in terms of the impact on 
the enterprise’s key perfonnance indicators (i.e., the “aggregate risk profile”). 

Coldhard Steel’s Risk Management Committee and external consultants have begun 
to develop a structural simulation model to integrate all risks. The various 
components of the model are supported by a common stochastic economic scenario 
generator. 

■ Assess/Prioritize Risks - This step involves detennining the contribution of each risk 
to the aggregate risk profile, and prioritizing accordingly, so that decisions can be 
made as to the appropriate treatment. 
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Coldhard Steel has not yet quantified all risks into probability distributions, let alone 
integrated these risks into a complete aggregate risk profile. However, Coldhard 
Steel has developed judgmental assessments as to frequency and severity, and it has 
developed a “Risk Map”, which plots all risks by these two components. Coldhard 
Steel has prioritized a number of risks including its workers compensation exposure 
(hazard), account bad debt/credit risk (financial), labor relation risk (operational), and 
product obsolescence risk (strategic). 

■ Treat/Exploit Risks - This step encompasses a number of different strategies, 
including decision as to avoid, retain (and finance), reduce, transfer, or exploit risk. 
For hazard risks, the prevalent transfer mechanism has been the insurance markets. 
Alternative risk transfer (ART) markets have developed from these with a goal of 
striking a balance between risk retention and risk transfer. With respect to financial 
risks, the capital markets have exploded over the last several decades to assist 
companies in dealing with commodity, interest rate, and foreign exchange risk. Until 
recently, companies had no mechanisms to transfer operational or strategic risks, and 
simply had to avoid or retain these risks. 

Coldhard Steel has historically insured its workers compensation exposure. However, 
given its comfort in assessing its loss experience, as well as increases in insurance 
rates, it is considering securing coverage with a large per occurrence deductible. 

With respect to financial risk, Coldhard Steel is instituting new standards regarding 
the extension of credit to its customers. In order to avoid potential labor disputes 
down the road, Coldhard Steel has decided to hold early discussions with union 
personnel regarding wages and benefits. 

Coldhard Steel believes that it is likely that additional tariffs will be imposed on 
foreign steel in the near future, so it is attempting to exploit this strategic risk by 
locking into fixed price agreements with its domestic suppliers. 

■ Monitor & Review - This step involves continual gauging of the risk environment and 
the performance of the risk management strategies. It also provides a context for 
considering risk that is scalable over a period of time (one quarter, one year, five 
years). The results of the ongoing reviews are fed back into the context-setting step 
and the cycle repeats. 

Coldhard Steel’s newly formed Risk Management Committee met extensively toward 
the end of the previous year for planning purposes, and intends to meet monthly to 
monitor progress on goals established. 

Note : The ERM Framework in this chapter was originally developed in the Final Report 
of the Advisory Committee on Enterprise Risk Management (the predecessor committee 
to the Enterprise Risk Management Committee). This November 2001 report is available 
on the CAS Web site at http://www.casact.org/research/erm/report.htm. 
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IV. ERM Language, Measures, Models and Tools 

As outlined in the preceding chapter, the first process step in the ERM framework is to 
establish the context (internal, external and risk management) within which the 
organization operates. Critical to establishing this context - and one of the worthy goals 
of ERM in its own right - is the creation of a common risk vernacular across all 
functional areas and relevant disciplines throughout the organization. This chapter 
summarizes the tenninology in common usage among companies that practice ERM, 
forming a large part the emerging global “language of risk”. In so doing, this chapter 
introduces and discusses the measures, models and tools that help organizations perform 
the balance of the ERM process steps. 

Where appropriate, certain items are compared and contrasted; and where some items 
represent alternative approaches to a similar issue, relative strengths and weaknesses are 
discussed. 

Overall Corporate Performance Measures 

ERM clearly links risk management with the creation of organizational value and 
expresses risk in terms of impact on organizational objectives. An important aspect of 
ERM is therefore the strong linkage between measures of risk and measures of overall 
organizational perfonnance. Thus, our discussion of ERM terminology begins with a 
description of key corporate performance measures. Our focus is on publicly traded 
corporations, and where industry-specific details are introduced, we use the financial 
services industry (and, more specifically, the insurance industry) for illustration. 

In addition to establishing context, these perfonnance measures have specific application 
in the identification of risks. Risk identification is the qualitative determination of risks 
that are material, i.e., that potentially can impact, for better or worse, the organization’s 
achievement of its financial and/or strategic objectives. These objectives are usually 
expressed, of course, in terms of the overall corporate perfonnance measures. 

The measures defined below are fundamental to the evaluation of corporate performance. 
It is assumed that the reader is already familiar with the more basic accounting terms and 
concepts such as net income, net worth, etc. 

■ General Industry 

□ Return on equity (ROE) — net income divided by net worth. 

□ Operating earnings — net income from continuing operations, excluding realized 
investment gains 

□ Earnings before interest, dividends, taxes, depreciation and amortization 
(EBITDA) — a form of cash flow measure, useful for evaluating the operating 
performance of companies with high levels of debt (when the debt service costs 
may overwhelm other measures such as net income). 

□ Cash flow return on investments (CFROI) — EBITDA divided by tangible assets. 
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□ Weighted average cost of capital (WACC) — the sum of the required market 
returns of each component of corporate capitalization, weighted by that 
component’s share of the total capitalization. 

□ Economic value added (EVA) — a corporate performance measure that stresses 
the ability to achieve returns above the firm’s cost of capital. It is often stated as 
net operating profits after tax less the product of required capital times the firm’s 
weighted average cost of capital. 

Financial Services Industry 

□ Return on risk-adjusted capital (RORAC) — a target ROE measure in which the 
denominator is adjusted depending on the risk associated with the instrument or 
project. 

□ Risk-adjusted return on capital (RAROC) — a target ROE measure in which the 
numerator is reduced depending on the risk associated with the instrument or 
project. 

□ Risk-adjusted return on risk-adjusted capital (RARORAC) — a combination of 
RAROC and RORAC in which both the numerator and denominator are adjusted 
(for different risks). 

Insurance Industry 

□ Economic capital — market value of assets minus fair value of liabilities. Used in 
practice as a risk-adjusted capital measure; specifically, the amount of capital 
required to meet an explicit solvency constraint (e.g., a certain probability of 
ruin). 

□ RAROC — expected net income divided by economic capital (thus, the more 
technically correct label is RORAC - see above - but in the insurance industry, 
RAROC is the term commonly used). RAROC is typically employed to evaluate 
the relative performance of business segments that have different levels of 
solvency risk; the different levels of solvency risk are reflected in the 
denominator. Evaluating financial performance under RAROC calls for 
comparison to a benchmark return; when the benchmark return is risk-adjusted 
(e.g., for volatility in net income), the result is similar to RARORAC (see above), 
though the term RAROC is still applied. 

□ Embedded value — a measure of the value of business currently on the books of 
an insurance company; it comprises adjusted net worth (the market value of assets 
supporting the surplus) plus the present value of expected future profits on in- 
force business. (Embedded value differs from appraisal value in that the latter 
also includes the value of future new business.) The perfonnance measure is 
often expressed in terms of growth (i.e., year-on-year increase) in embedded 
value. 

□ Risk Based Capital (RBC) — a specific regulatory capital requirement 
promulgated by the National Association of Insurance Commissioners. It is a 
formula-derived minimum capital standard that sets the points at which a state 
insurance commissioner is authorized and expected to take regulatory action. 
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Risk Measures 


In this section, reference is made to the term “risk profile” to represent the entire 
portfolio of risks that constitute the enterprise. Some companies represent this portfolio 
in terms of a cumulative probability distribution (e.g., of cumulative earnings) and use it 
as a base from which to determine the incremental impact (e.g., on required capital) of 
alternative strategies or decisions. It is in this sense that the term is used below. 

Most of the measures common in the practice of ERM can be placed in one of two 
categories: those measures related to the degree of the organization’s solvency, and those 
related to the volatility of the organization’s performance on a “going concern” basis. 

The measures in these two categories are used for distinctly different purposes and focus 
on distinctly different areas of the organization’s risk profile. Following and 
complementing the narrative descriptions of these measures are illustrations and fonnulas 
where appropriate. 

■ Solvency-related measures (these measures concentrate on the adverse “tail” of the 
probability distribution - see “risk profile” above - and are relevant for detennining 
economic capital requirements, i.e., they relate to the risks captured in the 
denominator of RARORAC; they are of particular concern to customers and their 
proxies, e.g., regulators and rating agencies): 

□ Probability of ruin — the percentile of the probability distribution corresponding 
to the point at which capital is exhausted. Typically, a minimum acceptable 
probability of ruin is specified, and economic capital is derived therefrom. 

□ Shortfall risk — the probability that a random variable falls below some specified 
threshold level. (Probability of ruin is a special case of shortfall risk in which the 
threshold level is the point at which capital is exhausted.) 

□ Value at risk (VaR) — the maximum loss an organization can suffer, under 
nonnal market conditions, over a given period of time at a given probability level 
(technically, the inverse of the shortfall risk concept, in which the shortfall risk is 
specified, and the threshold level is derived therefrom). VaR is a common 
measure of risk in the banking sector, where it is typically calculated daily and 
used to monitor trading activity. 

□ Expected policyholder deficit (EPD) or economic cost of ruin (ECOR) — an 
enhancement to the probability of ruin concept (and thus shortfall risk and VaR) 
in which the severity of ruin is also reflected. Technically, it is the expected value 
of the shortfall. (In an analogy to bond rating, it is comparable to considering the 
salvage value of a bond in addition to the probability of default.) For insurance 
companies, the more common term is EPD, and represents the expected shortage 
in the funds due to policyholders in the event of liquidation. 

□ Tail Value at Risk (Tail VaR) or Tail Conditional Expectation (TCE) — an 
ECOR-like measure in the sense that both the probability and the cost of “tail 
events” are considered. It differs from ECOR in that it is the expected value, 
from first dollar, of all events beyond the tail threshold event, not just the shortfall 
amount. 
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□ Tail events - unlikely but extreme events, usually from a skewed distribution. 
Rare outcomes, usually representing large monetary losses. 


Cumulative 

Probability 



Capital 


(-) 0 (+) 

Assets - Liabilities 


■ Performance -related measures (these measures concentrate on the mid-region of the 
probability distribution -see “risk profile” above - i.e., the region near the mean, and 
are relevant for determination of the volatility around expected results, i.e., the 
numerator of RARORAC; they are of particular concern to owners and their proxies, 
e.g., stock analysts): 

□ Variance — the average squared difference between a random variable and its 
mean. 

□ Standard deviation — the square root of the variance. 

□ Semi-variance and downside standard deviation — modifications of variance and 
standard deviation, respectively, in which only unfavorable deviations from a 
specified target level are considered in the calculation. 

□ Below-target-risk (BTR) — the expected value of unfavorable deviations of a 
random variable from a specified target level (such as not meeting an earnings 
target). 


Cumulative 

Probability 



(-) 0 Target (+) 


Cumulative Earnings 
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Risk Measure 


Standard Deviation 


Formula 




where n is the number of simulation iterations and 


Shortfall Risk 


xbar is the average value over all iterations. This is a commonly used 
measure of risk by academics and capital markets. It is interpreted as the 
extent to which the financial variable could deviate either above or below 
the expected value. Note that equal weight is given to deviations of the 
same magnitude regardless of whether the deviation is favorable or 
unfavorable. (There are different schools of thought on whether standard 
deviation in this context should measure total volatility or only the non- 
diversifiable volatility.) 

then 1, else 0] 

1 * 100% where T is the target 


n 


value for the financial variable and n is the number of simulation iterations. 
This is an improvement over standard deviation because it reflects the fact 
that most people are risk averse, i.e., they are more concerned with 
unfavorable deviations rather than favorable deviations. It is interpreted as 
the probability that the financial variable falls below a specified target level. 


Value at Risk (VaR) 


Downside Standard 
Deviation 


In VaR-type measures, the equation is reversed: the shortfall risk is specified 
first, and the corresponding value at risk (T) is solved for, 


X(min[0, (.V, -T)} 2 


where T is the target value for the financial 


Below Target Risk 
(BTR) 


variable and n is the number of simulation iterations. This is a further 
improvement over the other metrics because it focuses not only on the 
probability of an unfavorable deviation in a financial variable (as with 
shortfall risk) but also the extent to which it is unfavorable. It is interpreted 
as the extent to which the financial variable could deviate below a specified 
target level. 

BTR is similar, but the argument is not squared, and there is no square root 
taken of the sum. 


Risk Modeling 

Risk modeling refers to the methods by which the risk and performance measures 
described above are detennined. This chapter discusses the major classes of models used 
in the ERM process. It should be noted that these are general classes of models. The 
models used within any organization will typically be customized to accommodate the 
unique needs of, and the specific risks faced by, that organization. No two such models 
are exactly alike. 

Most organizations will have at least a simple financial model of their operations that 
describes how various inputs (i.e., risk factors, conditions, strategies and tactics) will 
affect the key perfonnance indicators (KPIs) used to manage the organization. For any 
given organization, these KPIs may be one or more of the overall corporate performance 
measures described earlier in this chapter (e.g., revenue growth, earnings growth, 
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earnings per share, growth in surplus, growth in embedded value, customer satisfaction 
and/or brand image). For publicly traded companies, the KPIs are often explicitly or 
implicitly defined by the market (i.e., they are the measures focused upon by the 
organization’s stock analysts). These models are often used in developing strategic and 
operational plans. For example, insurance companies typically make assumptions 
regarding future trends in claim costs by business segment (e.g., by line of business, by 
region), which are used to determine needed rate levels by segment. These rate level 
projections are then combined with assumptions on volume growth and other relevant 
inputs to derive a pro forma estimate of overall corporate earnings (or some other KPI). 
Often, business decisions (e.g., rate level, volume growth) are fine-tuned in order to 
produce the desired expected KPI result. Because these models explicitly capture the 
structure of the cause/effect relationships linking inputs to outcomes, they are termed 
structural (or causal) financial models. 

These structural financial models are generally deterministic models because they 
describe expected outcomes from a given set of inputs without regard to the probabilities 
of outcomes above or below the expected values. These models can be transformed into 
stochastic (or probabilistic ) models by treating certain inputs as variable. For example, 
expected future claim cost trend might be an input to a deterministic model of corporate 
earnings; recognizing that there is uncertainty in this trend, a probability distribution 
around the expected trend would be an input to a stochastic model. The model output, 
corporate earnings in this case, would then also be a probability distribution. 

As outlined below, the two general classes of stochastic risk models are statistical 
analytic models and structural simulation models. “Statistical” vs. “structural” refers to 
the manner in which the relationships among random variables are represented in the 
model; “analytic” vs. “simulation” refers to the way in which the calculations are actually 
carried out. These four terms are defined separately below; the way they are combined is 
illustrated and contrasted in the table that follows the definitions. 

■ Analytic methods — models whose solutions can be determined “in closed form” by 
solving a set of equations. These methods usually require a restrictive set of 
assumptions and mathematically tractable assumed probability distributions. The 
principal advantage over simulation methods is ease and speed of calculation. 

■ Simulation methods (often called Monte Carlo methods) — models that require a 
large number of computer-generated “trials” to approximate an answer. These 
methods are relatively robust and flexible, can accommodate complex relationships 
(e.g., so-called “path dependent” relationships commonly found in options pricing), 
and depend less on simplifying assumptions and standardized probability 
distributions. The principal advantage over analytic methods is the ability to model 
virtually any real-world situation to a desired degree of precision. 

■ Statistical methods — models that are based on observed statistical qualities of (and 
among) random variables without regard to cause/effect relationships. The principal 
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advantage over structural models is ease of model parameterization from available 
(often public) data. 

□ Mean/variance/covariance (MVC) methods — a special class of statistical 
methods that rely on only three parameters: mean, variance, and covariance 
matrix. 

■ Structural methods — models that are based on explicit cause/effect relationships, not 
simply statistical relationships such as correlations. The cause/effect linkages are 
typically derived from both data and expert opinion. The principal advantages over 
statistical methods is the ability to examine the causes driving certain outcomes (e.g., 
ruin scenarios), and the ability to directly model the effect of different decisions on 
the outcome. 

■ Dynamic Financial Analysis (DFA) — the name for a class of structural simulation 
models of insurance company operations, focusing on certain hazard and financial 
risks and designed to generate financial pro fonna projections. 

Note: As a practical matter and as noted above, the choice of modeling approach is 
typically between statistical analytic models and structural simulation models. The 
contrast between these modeling approaches is summarized in the table below: 


Representation of 
Relationships 

Calculation 

Technique 

Examples 

Relative Advantages 

Statistical 
(based on observed 
statistical qualities 
without regard to 
cause/effect) 

Analytic 

(closed-form 

formula 

solutions) 

■ RBC 

■ Rating 
agency 
models 

Speed; ease of replication; 
use of publicly available data 
(well suited for industry 
oversight bodies) 

Structural 
(based on specified 
cause/effect linkages; 
statistical qualities 
are outputs, not 
inputs) 

Simulation 
(solutions 
derived from 
repeated “draws” 
from the 
distribution) 

■ DFA 

■ Many 
options 
pricing 
models 

Flexibility; treatment of 
complex relationships; 
incorporation of decision 
processes; ability to examine 
scenario drivers (well suited 
for individual companies) 


The models described above generally presuppose the existence of sufficient data with 
which to fully parameterize the models. This is often not the case in practice, particularly 
as respects operational and strategic risks. 

There is a wide variety of risk modeling methods that can be applied to a specific risk. 
They can be thought of as lying on a continuum that is based on the extent to which they 
rely on historical data vs. expert input (see Figure A below). Along the continuum of 
sources of information, the methods listed on the left are ones that rely primarily on the 
availability of historical data. They include, for example, empirical distributions, 
parametric methods to fit theoretical probability density functions, regression, stochastic 
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differential equations and extreme value theory. These methods have been used 
extensively by financial institutions to model financial risks. 


The methods listed on the right in Figure A rely primarily on expert input, including for 
example, Delphi method, preference among bets or lotteries, and influence diagrams. 
These have been used successfully for several decades by decision and risk analysts to 
model operational risks in support of management decision-making in manufacturing, 
particularly in the oil and gas industry, and in the medical sector. The methods listed in 
the middle of the continuum rely on data, to the extent that it is available, and expert 
judgment to supplement the missing data. In these methods, expert judgment is used to 
develop the model logic indicating the interactions among key variables and to quantify 
cause/effect relationships based on experience and ancillary or sparse data. Methods 
such as system dynamics simulation, Bayesian belief networks and fuzzy logic in 
particular are ideally suited for quantifying operational and strategic risks. 


Figure A - There is a continuum of methods for modeling risks. Each method 
has advantages/disadvantages over others, so it’s important to select the best 
methods based on facts and circumstances 


Data Analysis 


Modeling 


Expert Input ^ 





'r 

Empirically 
from historical 

Stochastic 

System 

Dynamics 

simulation 

Influence 

Direct assessment of 
relative likelihood or 

data 

Differential 

Equations 

(SDEs) 

diagrams 

fractiles 


Fit parameters 
for theoretical 
distribution 


Neural 

Networks 

Bayesian 

Belief 

Networks 

Preference among 
bets or lotteries 

Extreme 

Regression over 


Delphi method 

Value 

variablesthat 

Fuzzy logic 

Theory 

affect risk 




Definitions and descriptions of the risk modeling methods that lie along this continuum 
are in Appendix B. 

Risk Integration 

Several of the risks of interest to the organization may be correlated with one another. 
For example, economic inflation (a driver of cost trends across multiple business 
segments) is highly correlated with interest rates (a driver of asset values and investment 
returns). It is important to capture these correlations - indeed, this is the essence of 
ERM. There are several ways to do this. 

A direct way to express dependencies among risks is to estimate the statistical 
correlations between each of the individual risks. These estimates are often arrayed in a 
“covariance matrix”. 
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■ Covariance — a statistical measure of the degree to which two random variables are 
correlated. Related to correlation coefficient (correlation coefficient = covariance 
divided by the product of the standard deviations of the two random variables). A 
correlation coefficient of + 1.0 indicates perfect positive correlation; -1.0 indicates 
perfect negative correlation (i.e., a “natural hedge”); zero indicates no correlation. 

■ Covariance matrix — a two-dimensional display of the covariances (or correlation 
coefficients) among several random variables; the covariance between any two 
variables is shown at their cross-section in the matrix. 

The estimation of these covariances can be a practical difficulty, as the number of 
estimates required rises as the square of the number of risks. 

An alternative way to capture risk interrelationships is through a structural simulation 
model of the enterprise, described above. In essence, a structural simulation model 
allows one to capture the dependencies among variable inputs in a simple, accurate and 
logically consistent way by virtue of the model’s cause/effect linkages of these inputs to 
common higher- level inputs. 

For example, interest rates and inflation rates are often generated stochastically by means 
of an economic scenario generation model, wherein these two random variables are 
linked to higher-level economic forces. In turn, other lower-level random variables, such 
as product costs, prices, asset values and investment income, are linked causally to 
interest rates and inflation rates within the model. Without such structural linkages, other 
models (such as MVC models, described above) can generate sets of random variables 
that are unrealistic relative to each other, regardless of how accurate the correlation 
estimates among them may be. 

The statistical correlations among risks that are related through a structural simulation 
model are an emergent property (i.e., an output) of the model, not values to be separately 
estimated. To the extent that certain inputs are not related to a common higher-level 
input, yet one believes that a relationship exists between them, these correlations can be 
stated explicitly in tenns of a covariance matrix, whose values can be determined through 
data analysis, expert opinion or both. 

Risk Prioritization 


Risk prioritization is ranking material risks on an appropriate scale, such as frequency, 
severity or both. 

■ Risk mapping — the visual representation of identified risks in a way that easily 
allows ranking them. This representation often takes the form of a two-dimensional 
grid with frequency (or likelihood of occurrence) on one axis, and severity (or degree 
of financial impact) on the other axis; the risks that fall in the high-frequency/high- 
severity quadrant are typically given highest priority risk management attention. 
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A more useful ranking of risks is in terms of each risk’s impact on the organization’s 
overall key performance indicators (KPIs). The marginal contribution of each individual 
risk factor to the overall risk profile of the organization can be determined by “turning 
off’ that risk factor (changing that particular input from stochastic to deterministic) and 
examining the impact on the KPI probability distribution. This technique provides a 
straightforward way of isolating the impact of a particular risk factor (such as natural 
catastrophes) on overall capital adequacy, for example. In this way, the prioritization of 
risk factors, which is often done qualitatively, can be more rigorously validated. 

Tool Applications for Treating/Exploiting Risks 

The techniques, models and measures above are used in various combinations to assist 
management decision-making in a number of areas. Several of these specific 
applications are discussed below, following the definitions of two generic applications 
(“optimization” and “candidate analysis”) that are employed within some of these 
specific applications. Note that the following list of specific applications is not 
exhaustive, and is expected to grow as ERM matures as a discipline. Virtually any 
decision that requires evaluating risk/return trade-offs is a candidate for ERM treatment. 

■ Generic applications: 

□ Optimization — the formal process by which decisions are made under conditions 
of uncertainty. Components of an optimization exercise include a statement of 
the range of decision options, a representation of the uncertain conditions (usually 
in the form of probability distributions), a statement of constraints (usually in the 
form of limitations on the range of decision options), and a statement of the 
objective to be maximized (or minimized). An example of an optimization 
exercise is an asset allocation study (see below under risk management 
applications). [See also “candidate analysis, below.] 

□ Candidate analysis — a restricted form of optimization analysis in which only a 
finite number of prespecified decision options are considered, and the best set 
among those options is determined through the analysis. Optimization and 
candidate analyses can be contrasted as follows. An optimization analysis would 
typically result in the derivation of an “efficient frontier” curve in risk/return 
space, which contains the decision options that result in maximum return for each 
level of risk (i.e., the optimal decision option for each level of risk). A candidate 
analysis would not derive the efficient frontier curve, but would simply show the 
finite number of decision options in comparison with each other in risk/retum 
space (i.e., a “scatter plot”). It would not be known how close each option is to 
the efficient frontier of options. Conceptually, if a candidate analysis were 
performed on an infinite number of candidate decision options, then the 
“envelope” or boundary of those options would fonn the efficient frontier. 

■ Capital management: 

□ Capital adequacy — the detennination of the minimum amount of capital needed 
to satisfy a specified economic capital constraint (e.g., a certain probability of 
ruin), usually calculated at the enterprise level. 


-23 - 



Overview of Enterprise Risk Management 


□ Capital structure — the determination of the optimal mix of capital by type (debt, 
common equity, preferred equity), given the risk profile and performance 
objectives of the enterprise. 

□ Capital attribution — the determination of the assignment of enterprise level 
capital to the various business segments (e.g., lines of business, regions, projects) 
that make up the enterprise, in recognition of the relative risk of each segment, for 
purposes of measuring segment performance on a risk-adjusted basis (e.g., to 
provide the denominator for a RORAC or RARORAC analysis by segment). 

— Diversification credit — the recognition of the “portfolio effect”, which is the 
fact that the economic capital required at the enterprise level will be less than 
the sum of the capital requirements of the business segments calculated on a 
stand-alone basis. The diversification credit is typically apportioned to the 
business segments in a manner that attempts to preserve the relative equity of 
the capital attribution process. 

□ Capital allocation — the actual deployment of capital to different business 
segments. 

■ Performance measurement — the development and implementation of appropriate 
risk-based metrics for evaluation of business segment performance, reflecting capital 
consumption, return and volatility. 

■ Investment strategy/asset allocation — the determination of the optimal mix of assets 
by asset class (usually to maximize expected return at each level of risk, i.e., 
according to Modern Portfolio Theory). In advanced applications, the analysis 
reflects the nature and structure of both assets and liabilities and is called 
asset/liability management (ALM). 



Level of Risk 


■ Insurance/reinsurance/hedging strategy optimization — the determination of the 
optimal insurance/reinsurance/hedging program, reflecting program costs and risk 
reduction capability; usually conducted through candidate analysis. The risk 
reduction capability manifests itself in terms of both reduction in required economic 
capital and reduction in the cost of capital or required risk-adjusted rate of return. 
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■ Crisis management — the proactive response of an organization to a severe event that 
could potentially impair its ability to meet its performance objectives. 

■ Contingency planning — the process of developing, and embedding in the 
organization, crisis management protocols in advance of crisis conditions. 

■ Business expansion/contraction strategy — the evaluation of merger, acquisition and 
divestiture options in terms of their incremental impact on the risk profile of the 
enterprise. 

■ Distribution channel strategy — the systematic evaluation of alternative channels 
(e.g., direct, agency, Internet), by means of simulation analysis to test impacts on 
growth, market share, profitability, etc. on a risk/return basis. 

■ Strategic planning — the use of structural simulation modeling, such as “real options” 
modeling, as a decision tool to assist management in selecting among alternative 
strategies, such as long-term research projects (see “Scientific Management at 
Merck”, Harvard Business Review, 1994). 

Risk Monitoring 

Continual monitoring of the risk environment, and of the performance of the risk 
management processes, is often done by means of a senior management risk dashboard 
— the graphical presentation of the organization’s key risk measures (often against their 
respective tolerance levels), as in the chart below. 



Typical measures included in the dashboard are shown in the following tables. 
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Marketing 


■ New business sold 

■ Retention of old business 

■ Mix of business: new and 
renewal 

■ Market share by customer 
type 

■ Average premium or assets 
by per customer 

■ % high-yield customers 

■ Customer satisfaction 

■ Average # of products per 
customer 


Underwriting 


■ Price achieved vs. target 
price 

■ Exposure data (number of 
cars, payroll, etc.) 

■ Exposure mix 

■ Quotes 
accepted/declined 

■ Variance analysis 

■ Premium persistency 

■ Loss ratio 

■ Loss adjustment expense 


Financial 


■ Revenue 

■ Underwriting profit 

■ Investment profit 

■ Pre-tax operating income 

■ Net income 

■ Return on equity and total capital 

■ Economic value added 


Sales/Distribution 


■ Acquisition costs per sale 

■ Sales by distribution channel 

■ Growth/retention of agents 


Investments 


■ Cash flow 

■ Yield on new investments 

■ Yield on portfolio by class and 
duration 

■ Convexity of assets 

■ Duration of assets 

■ Investment mix: new and portfolio 

■ Credit default 

■ Total return 


Human Resources 


■ Agency composition 
(number, age, service) 

■ Total employment by 
department 

■ Number and percentage 
leaving the company 

■ Vacancy rates 

■ Average salary increase 
vs. plan 

■ Employee commitment and 
engagement 


Claims 


■ Frequency and severity of 
claims 

■ Claims department 
productivity 


External Data 


■ Audit compliance 

■ Inflation rates 

■ Interest rates 

■ GNP 

■ Competitor pricing 


Note : Certain material in this chapter was drawn from the article “The Language of 
Enterprise Risk Management: A Practical Glossary and Discussion of Relevant Terms, 
Concepts, Models and Measures”, by Jerry Miccolis, in the Enterprise Risk Management 
Expert Commentary section of the Web site of the International Risk Management 
Institute, http://www.irmi.com/expert/risk.asp. As noted therein, certain of these 
definitions were adapted from The Dictionary of Financial Risk Management, by 
Gastineau and Kritzman, 1996, Fra nk J. Fabozzi Associates. Certain other material was 
drawn from the Tillinghast - Towers Perrin monograph RiskValuelnsiglits : Creating 
Value Through Enterprise Risk Management, (http://www.tillinghast.com). 
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V. ERM Case Studies 

This chapter recounts a number of success stories in which organizations made the 
commitment to and then benefited from ERM. Some of these benefits are explicit and 
measurable (e.g., increased investment returns, decreased capital requirements), others 
are more intangible but no less real (e.g., more enlightened strategic planning, more 
rigorous perfonnance measurement/management). There should be elements from this 
collection of cases that will resonate with any given organization. 

It also should be clear from these cases that, in terms of objectives, scope (of risks and of 
processes), organization, tools and techniques, there are a number of legitimate 
approaches to ERM and no single “correct way” that is appropriate for all entities. The 
proper approach to ERM for any enterprise is one that fits within the culture of that 
enterprise. 

Risk Assessment 


A large, market-leading manufacturer and distributor of consumer products with an 
uninterrupted 40-year history of earnings growth, embarked on ERM well before its 
competitors. This step followed their philosophy of “identifying and fixing things before 
they become problems”. They were spurred by their rapid growth, increasing 
complexity, expansion into new areas, and the heightened scrutiny that accompanied their 
recent initial public offering. They conducted a comprehensive assessment of all risks 
that could potentially prevent the company from achieving its promised results. Views of 
company executives on key performance measures and risk thresholds were validated 
against financial models of stock analyst expectations. Multiple methodologies were 
used to rank order risks from all sources (hazard, financial, operational and strategic) on 
the basis of expected impact, and the results cross-validated. High-priority risk factors 
were interpreted and classified (as “strategic”, “adaptation”, “manageable”, “business as 
usual”) for appropriate response, and strategies for mitigation and exploitation were 
developed. In addition, a “Business Risk Self-assessment Toolkit” was created for 
ongoing use. Senior management attributes the ERM effort, and their communication of 
that effort to the investment community, as one of the drivers of the company’s superior 
market valuation. 

A large health plan had traditionally conducted separate and uncoordinated risk 
assessments through its risk management, legal and internal audit functions. It undertook 
an enterprise-wide risk assessment covering all functional and operational divisions. The 
objective was to prioritize all sources of risk against a common set of financial and 
customer metrics to enable senior management to focus the organization’s limited 
resources on the proper short list of critical concerns. In addition to providing a 
meaningful and useful calibration of risks of varied types, this exercise surfaced critical 
business risks that had not been identified through any previous audit or strategic 
planning exercise. Senior management uses the results of this assessment to set its 
strategic agenda. 
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Distribution Strategy 

A medium-sized life insurance company wanted to reconsider their distribution strategy 
in light of plans to demutualize the following year. The bulk of their production came 
from a network of career agencies, and the company wanted to investigate not only other 
distribution channels but also the possibility of becoming a wholesaler to other financial 
institutions. They decided to analyze the risk/value economics of alternative operational 
strategies by developing a financial model of the underlying business dynamics. The 
process of model development and assumption setting forced the management team to 
articulate the alternative strategies more clearly and with greater specificity than they had 
thus far. The model was used iteratively to evaluate further variations in strategy 
suggested by a review of the projected financials at each prior iteration. Modeling the 
economics provided the management team with valuable information on the risks and 
opportunities underlying alternative strategies. As a result, the team was able to reach 
consensus on a distribution strategy that was better understood and provided the best 
prospects of success. 

Performance Measurement 


A large multinational financial services group undertook an assessment of the relative 
levels of economic capital required by each of its life and nonlife insurance subsidiaries. 
This involved identifying the major sources of risk in each line of business and modeling 
the impact of these risk areas on the projected cash flows. The results were used to 
determine an appropriate level of capital at individual product level, subsidiary level, 
product group level (across subsidiaries) and finally at group level. An economic 
scenario generation model was used to allow cross-currency aggregation. The resulting 
attribution of capital is used as the foundation for a performance measurement system 
relating shareholder risk to return on capital and total shareholder return. Actual return 
on capital is compared to the hurdle rate implied by the shareholder risk and differences 
are analyzed into above- and below-the-line effects. 

Asset Allocation 


A property/casualty insurance company’s conservative asset mix resulted in perfonnance 
returns that were not competitive. They evaluated alternative asset allocation strategies, 
along with an integrated reinsurance program, to enhance the returns from investments 
and manage the risk of their business. However, the company did not want its rating 
from A.M. Best to be affected as a result of implementing a more aggressive investment 
strategy. They developed a comprehensive model of the company and evaluated multiple 
scenarios of economic value in relation to risk. The model allowed them to develop a 
strategy to alter their asset allocation. A financial integrated stop-loss reinsurance 
program was designed with an investment hedge to mitigate the possibility that the 
investment portfolio may underperform a target return. The result: enhanced expected 
returns of the investment portfolio and lowered downside risk on operating income. The 
executive team’s understanding of their return opportunities in relation to the risks of the 
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business was deepened. This insight was used to focus the work of line managers, and 
also used in discussions with outside parties regarding overall risk management. 

Strategic Planning 

A leading global manufacturer and distributor of patented pharmaceuticals has developed 
its ERM approach around a “real options” model. In an industry noted for very 
expensive, very long-tenn research projects, success is dependent on making the right 
“bets” on those research projects, both at their outset and at critical decision junctures 
throughout the projects’ life span. The company credits its pioneering work on its 
Research Planning Model as a key contributor to its competitive advantage. This model 
captures the important medical, operational and financial risks of each project, and 
applies sophisticated options pricing theory to discern among alternative projects and to 
manage the continuing investments in projects that pass the initial screening process. 

This approach, by recognizing the dynamics of the staged research decision process, has 
allowed the company to pursue ultimately successful projects that would have failed a 
more traditional net present value screening process. {Note'. This case study is 
documented in “Scientific Management at Merck: An Interview with CFO Judy Lewent’ ’, 
Harvard Business Review, January-February 1994.) Certain tools developed for this 
approach - most notably “decision trees” - have become routinely used in management 
discussions of unrelated issues throughout various organizational levels, thus contributing 
to the company’s “common language of risk”. 

The board of directors at a large electric utility, motivated both by local corporate 
governance guidelines and the opening of their industry to competition, mandated an 
integrated approach to risk management throughout the organization. They piloted the 
process in a business unit that was manageable in size, represented a microcosm of the 
risks faced by the parent, and did not have entrenched risk management systems. This 
same unit was the focus of the parent’s strategy for seeking international growth - a 
strategy that would take the organization into unfamiliar territory - and had no 
established process for managing the attendant risks in a comprehensive way. The pilot 
project was deemed a success and, among other things, the ERM unit is now a key 
participant in the organization’s strategic planning process. This participation takes the 
form of building stochastic models around the key drivers of the strategic plan (weather 
conditions, customer demands, economic conditions, etc.) to assess the robustness of the 
plan. The board will not approve the strategic plan without such an ERM evaluation. 

Product Design 

A life insurer was looking to improve the product design features of its flagship universal 
life product; specifically, incorporating a market value adjustment to protect against 
having to credit high interest in times of falling asset market values. The market value 
adjustment could have been a serious detriment to potential policyholders and might not 
have received regulatory approval. Working together, senior management, an actuarial 
team and the investment fund manager determined that an ALM model be developed 
using a set of stochastically generated interest rate scenarios. Various investment 
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strategies were considered, covering a varying mix of mortgages, high-quality corporate 
bonds and CMO’s. The ALM model then made projections based on the modeled 
relationship between the yield on these asset classes and the yield curve for treasuries as 
produced by the stochastic interest rate generator. Appropriate assumptions were made 
for defaults and prepayment risk. The yield relationships and other asset assumptions 
were reviewed by the fund management team, which also appraised the actuaries’ 
assumptions underlying the model that was used to create the stochastically generated 
interest rate scenarios. Duration and convexity of both assets and liabilities were then 
analyzed, and the product design and the planned investment strategy fine-tuned to bring 
the assets and liabilities into balance. At this point, senior management analyzed various 
profit metrics for different investment strategies, looking at extreme scenarios for special 
review. Based on this analysis, the product appeared to hold up well even under the most 
extreme interest rate scenarios without any market value adjustment. The ALM analysis 
was effectively used to establish the product design and set the investment policy, and the 
product was filed without any market value adjustment. 

Dividend Strategy 

A medium-sized foreign life insurance company wanted to analyze the viability of their 
current dividend strategy for traditional business. Its market provided stable long-tenn 
dividend rates at a high level, even while market interest rates have declined, by 
smoothing book yields via accrual and realization of “hidden” reserves (unrealized 
capital gains on assets) and unallocated bonus reserves. In the prevailing low interest rate 
environment, the key competitive issue had become how long companies could finance 
their current dividend rates from existing buffers as compared to the market. In order to 
analyze the company’s competitive position, ALM models were built for the company 
and a representative market company, reflecting the company’s specific portfolio 
structure and strategies. On the basis of stochastic scenarios generation, the estimated 
time until ruin (until buffers had been exhausted) was determined for a range of potential 
ALM strategies for the company and compared to the results for the market. By varying 
the investment strategy, the company improved its risk/return positioning. As a result of 
the benchmark study, the life insurer received an indication of its current competitive 
position and a quantification of alternative ALM strategies, which led the company to 
reassess its dividend setting strategy for the entire traditional life portfolio. 

Risk Financing 

A very large retail company’s CFO wanted to “assess the feasibility of taking a broader 
approach to risk management in developing the organization’s future strategy”. As part 
of this effort, they hoped to “evaluate our hazard risk and financial risk programs and 
strategies, to identify alternative methods of organizing and managing these exposures on 
a collective basis”. As a first step, the company designed and built a model to provide an 
improved capability to evaluate its hazard and financial risks, both individually and on an 
aggregate portfolio basis. Criteria were developed to evaluate alternative risk financing 
programs based on appropriate measures of performance for risk and return. These 
evaluation criteria allowed the company to develop risk/return “efficient frontiers”, 
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representing a range of possible changes from their current program, on which to make 
informed management decisions. These decisions included: 

■ Choosing among competing insurance program submissions 

■ Determining retention levels 

■ Developing negotiating strategies 

■ Designing an overall risk financing strategy 

■ Prioritizing risk management activities (e.g., risk control). 

The process for developing this capability included the detennination of both appropriate 
return measures (e.g., net income, net cash flow) and appropriate risk measures (e.g., 
magnitude of potential loss, variance in financial measures, liquidity, compliance with 
bond covenants). These measures recognized and were developed from the variety of 
needs of key decision-makers, identified via structured interviews. Additionally, the 
process provided an understanding of those factors that have the greatest impact (in risk 
and return terms) on the performance of individual risks as well as the portfolio of all 
risks. To codify this process, the company developed a computer-based decision-support 
tool (with “senior management-friendly” graphics) that facilitated the evaluation of 
hazard and financial risks and allowed the decisions to be fact-based and consistent. 

In addition to these examples, there are numerous others that demonstrate additional 
collateral benefits to undertaking an ERM process. These include: 

■ Improved communication and collaboration within the organization; 

■ Better-informed decisions at all levels in the organization by having gone through a 
rigorous and systematic risk identification/prioritization process; and 

■ Valuable change in mindset wherein risk can be a source of opportunity and not 
merely a threat to be avoided. 
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VI. Practical Considerations in Implementing ERM 

Once an enterprise decides to adopt ERM, it has to deal with a number of practical 
considerations in its successful implementation. These include, but are not limited to, the 
following: 

Designating an ERM “Champion” 

Given the implementation challenges, a unique individual is needed to spearhead the 
effort, becoming, in effect, the “champion” of the initiative. This role is often fulfilled by 
naming a Chief Risk Officer (CRO), who typically reports to the Chief Executive Officer 
or Chief Financial Officer. It is important that the organizational structure created for 
ERM (e.g., the CRO, the CRO’s staff, the Risk Management Committee) is accountable 
and has the authority to be a change agent. Senior sponsorship needs to be high enough 
in the organization to have a top-level view of all the risks facing the enterprise, see 
across all organizational “silos”, and have sufficient authority to effect changes in 
business practice. 

Making ERM part of the enterprise culture (“tearing down the silos”) 

Under the historical, fragmented approach to risk management, numerous personnel are 
involved in various aspects of risk management. Typical of such approaches, the risk 
management department is responsible for hazard risks; the treasury department is 
responsible for financial risks; the human resources department is responsible for workers 
compensation, health, and employee risks; infonnation technology is responsible for 
many operational risks; and the marketing department is responsible for many strategic 
risks. More than likely, these departments report to different managers within the 
organization, use different risk assessment procedures and terminology, calibrate risk on 
different scales, and have different timeframes in mind. Instituting such a sweeping 
change as implementing ERM may invoke defensive postures as these departments try to 
protect “their turf’. The successful ERM approach would be one that coordinates all 
these different departments, recognizes the need for education, but allows for individual 
department initiative, flexibility, and autonomy. 

Determining all possible risks of the organization 

As the list of risks included in the ERM Framework demonstrates, there is a multitude of 
risks facing every enterprise. Often the greatest risks are those not contemplated. Who 
in the property and casualty insurance industry could have conceived the magnitude of 
environmental risks assumed in insurance policies prior to the mid- 1 980 ’s, or the 
terrorism exposure in the early 2000 ’s? Who in the pharmaceutical industry could have 
conceived of effect of criminal tampering with products on store shelves? How can these 
risks be quantified, integrated or treated, if they cannot be identified? Some 
organizations have used their risk management committees to conduct and participate in 
periodic, structured “disaster scenario” brainstorming exercises specifically to 
contemplate and, as appropriate, plan for such “unthinkable” events. 
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Quantifying operational and strategic risks 

Although a great body of literature exists in the quantification of hazard and financial 
risks, not all enterprises are able to quantify intangible risks such as operational and 
strategic risk. It is difficult to determine point estimates of likelihoods (i.e., frequency) 
and consequences (i.e., severity) of these risks, let alone detennine probability 
distributions around these estimates. Not only do models generally not exist, but 
historical data that are the input to these models often do not exist either. Even if 
attempted, the cost of quantifying these risks needs to be considered in relationship to its 
benefit. 

Enterprises can overcome these difficulties by starting with qualitative analysis of 
operational and strategic risk to determine those that are material and to prioritize them. 

In addition, some have advocated the use of causal models, as opposed to parametric 
models, to quantify these risks. These causal models often already exist (e.g., in strategic 
planning, in logistics) in some form within the organization and may simply need to be 
“stochasticized”. 

Integrating risks (determining dependencies, etc.) 

Actuaries and financial analysts know of the difficulty in determining appropriate 
relationships or correlations for risks just within their respective areas of expertise, 
hazard and financial risks. These difficulties include: 

■ Past causal relationships are often not indicative of future relationships. 

■ There are differences in time frames (short-tenn, medium-term, long-term) to 
consider. 

■ Selecting correlation factors becomes cumbersome as the number of risks to review 
increases. 

These difficulties are compounded when considering operational and strategic risks, both 
within these risk categories and among other risk categories. 

Building structural models in modular form, which allows enhancement in manageable 
successive stages over time, is one practical approach some companies have employed. 

Lack of appropriate risk transfer mechanisms 

Although risk transfer mechanisms for hazard and financial risks exist via the insurance, 
reinsurance and capital markets, these markets are not complete in the sense of being able 
to provide all products and services that enterprises may need. These markets need to 
continue to evolve over time (such as the development of the alternative risk market for 
hazard risks) in order to provide products that will meet the risk transfer needs of 
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enterprises. Risk transfer mechanisms for operational and strategic risks are even less 
mature. 

Monitoring the Process 

Ideally, ERM is not a one-time “project”, but a discipline that evolves over time as risks 
and opportunities within an enterprise change. The successful ERM process will include 
regular progress reports and comparisons to previous risk assessments so changes and 
refinements can be made as appropriate. Changes in the risk environment, based on new 
information, may result in changing strategies employed to treat and exploit risk. 
Regularly monitoring results can, and should, be tied to the time scales identified for the 
risks actively managed. 

Start Slowly - Build Upon Successes 

Because of the traditional, fragmented approach to risk management described earlier and 
the complexity of many businesses, enterprises often find it useful to start their ERM 
initiative slowly, tackling smaller projects first, so tangible results can be achieved early. 
The CRO or Risk Management Committee or both also may have limited resources 
initially, so they have to think on a smaller scale until successful projects are completed. 
However, the early successes can help to generate momentum and enthusiasm (and 
perhaps funding) for future ERM initiatives. 

The case studies in the preceding chapter include examples of how different companies in 
various industries started small in terms of any or all of the following: 

■ Risk type (e.g., combining hazard and financial risks first, then planning to layer in 
strategic and operational risks); 

■ Process step (e.g., starting with a qualitative enterprise-wide risk assessment, then 
proceeding to risk quantification); 

■ Organizational component (e.g., piloting ERM within a single corporate division). 

Just as there is no one correct approach to overall ERM design, there is no one correct 
path to incrementally building toward ERM. Both are dependent on the unique business 
imperatives and culture of each organization. 
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Appendix A — Risk-Related Regulatory, Rating Agency and Corporate 
Governance Guidelines and Requirements 

Those developing ERM programs and policies need to consider a number of corporate 
governance guidelines and regulatory and rating agency requirements. The more 
prominent of these are described below. 

■ General Industry 

□ Cadbury Report, et al (U.K.) — the London Stock Exchange has adopted a set of 
principles, the Combined Code, that consolidates previous reports on corporate 
governance by the Cadbury, Greenbury and Hampel Committees. This code, 
effective for all accounting periods ending on or after December 23, 2000 (and 
with a lesser requirement for accounting periods ending on or after December 23, 
1999), makes directors responsible for establishing a sound system of internal 
control and reviewing its effectiveness, and reporting their findings to 
shareholders. This review should cover all controls, including operational and 
compliance controls and risk management. The Turnbull Committee issued 
guidelines in September 1999 regarding the reporting requirement for non- 
financial controls. 

□ Dey Report (Canada) — commissioned by the Toronto Stock Exchange and 
released in December 1994, it requires companies to report on the adequacy of 
internal control. Following that, the clarifying report produced by the Canadian 
Institute of Chartered Accountants, “Guidance on Control” (CoCo report, 
November 1995), specifies that internal control should include the process of risk 
assessment and risk management. While these reports have not forced Canadian 
listed companies to initiate an ERM process, they do create public pressure and a 
strong imperative to do so. In actuality, many companies have responded by 
initiating ERM processes. 

□ Australia/New Zealand Risk Management Standard — a common set of risk 
management standards issued in 1995 that call for a formalized system of risk 
management and for reporting to the organization’s management on the 
performance of the risk management system. While not binding, these standards 
create a benchmark for sound management practices that includes an ERM 
system. 

□ KonTraG (Gennany) — a “mandatory bill” that became law in 1998. Aimed at 
giving shareholders more information and control and increasing the duty of care 
of the directors, it includes a requirement that the management board establish 
supervisory systems for risk management and internal revision. In addition, it 
calls for reporting on these systems to the supervisory board. Further, auditors 
appointed by the supervisory board must examine implementation of risk 
management and internal revision. 

■ Financial Services Industry 

□ Basel Committee: 

— The Basel Committee on Banking Regulation and Supervisory Practices was 
established in 1974 (originally called the Cooke Committee) in response to the 
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erosion of capital in leading global banks. The committee meets under the 
auspices of the Bank for International Settlements (BIS) but is not part of the 
BIS. The committee consists of representatives from the central 
banks/supervisory authorities of the G10 countries and Luxembourg. The 
committee has no legal authority, but the governments of the representatives 
on the committee have always legislated to make the recommendations part of 
their own national law. The standards set by the committee are widely 
regarded to be best practice and a large number of other countries that are not 
formally represented on the committee have implemented the proposals. In 
the U.S., the Federal Reserve has adopted the Basel Capital Accord (“Basel I” 

- see below). 

— “Basel I” — the 1988 Basel Capital Accord established a framework to 
calculate a minimum capital requirement for ba nk s. The Accord focused on 
credit risk and was crude in its recognition of the relative risk of different 
loans. A number of amendments were made to the Accord (prior to “Basel II” 

- see below), the most significant of which is the market risk amendment in 
1996; this extended the 1988 Accord to cover market risk and allowed for the 
use of internal models to quantify regulatory capital. 

— “Basel II” — in 1999 the Basel Committee issued a draft proposal for a new 
accord and accepted comment. Based on feedback, the Committee issued a 
revised proposal in 2001 for review and comment. In this New Basel Capital 
Accord, proposed for implementation in 2004, among other changes a capital 
charge for operational risk is included as part of the capital framework. The 
charge reflects the Committee’s “realization that risks other than market and 
credit” can be substantial. Operational risk is defined as “the risk of direct or 
indirect loss resulting from inadequate or failed internal processes, people and 
systems or from external events”. The new capital adequacy framework is 
proposed to apply to insurance subsidiaries of banks and may apply to 
insurance companies as insurance and banking activities converge. 

□ OSFI (Canada) — the Office of the Supervisor of Financial Institutions 
supervisory framework defines “inherent risk” to include credit risk, market risk, 
insurance risk, operational risk, liquidity risk, legal and regulatory risk and 
strategic risk. It states that: “Where independent reviews of operational 
management and controls have not been carried out or where independent risk 
management control functions are lacking, OSFI will, under normal 
circumstances, make appropriate recommendations or direct that appropriate work 
be done.” 

□ FSA (U.K.) — the Financial Services Authority (FSA - the recently created 
regulator of all U.K. financial services businesses) is introducing a system of risk- 
based supervision that will create a single set of prudential requirements 
organized by risk rather than by type of business. Regulated businesses will have 
to demonstrate that they have identified all material risks and have adequate 
systems and financial resources to manage and finance such risks, including 
market risk, credit risk, operational risk and insurance risk. There is also likely to 
be a requirement for fonnal documentation of the whole process in a format that 
is readily accessible to the FSA. 
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■ Insurance Industry 

□ A.M. Best — in its publication Enterprise Risk Model: A Holistic Approach to 
Measuring Capital Adequacy, A.M. Best describes its VaR-based method for 
determining the adequacy of capital for rating purposes. The report states: “The 
Enterprise Risk Model is a modular system designed to capture all risks, including 
noninsurance and non-U. S. related risks. VaR methodologies are somewhat 
controversial in insurance circles, but they are the standard for other financial- 
services organizations. More importantly, A.M. Best believes that VaR-based 
methodologies provide a more accurate assessment of risk and required capital, 
since they use observable market metrics. Beyond its application in the rating 
process, the model can also be a useful tool for financial managers, since the VaR 
framework provides a natural springboard to other applications, including risk- 
adjusted return on capital (RAROC) and dynamic financial analysis (DFA). The 
Enterprise Risk Model quantifies the risk to the future surplus - net worth - of an 
organization arising from a change in underlying risk variables, such as credit 
risk, insurance risk, interest rate risk, market risk and foreign exchange risk. The 
model also quantifies the benefits of diversification as it takes a macro view of the 
correlations among risks within an organization... Like other VaR-based models, it 
is calibrated to measure the risks over a defined holding period - one year - for a 
given level of statistical confidence - 99%. ” 

□ Moody’s — in its publication One Step in the Right Direction: The New C-3ci 
Risk-Based Capitcd Component (June 2000), Moody’s Investors Service states 
that it will use the new method devised by the NAIC and the American Academy 
of Actuaries for measuring a life insurance company’s C-3a (interest rate) risk, as 
it incorporates a cash-flow testing requirement for annuity and single premium 
life products and is more consistent with industry advances in dynamic cash-flow 
testing. One Step states: “. . .the revised calculation is a more accurate barometer 
of the amount of capital required to support an insurer’s interest-sensitive 
business, as it explicitly incorporates asset-liability mismatches in detennining the 
appropriate amount of required regulatory capital for a company. Consequently, 
the new calculation should help discourage companies from taking unwarranted 
asset-liability risk.” 

□ Standard &Poor’s — in its Revised Risk-Based Capital Adequacy Model for 
Financial Products Companies Standard & Poor's states: “Standard & Poor's 
Insurance Capital Markets Group has developed a new, risk-based capital 
adequacy model to analyze the credit, financial market, and operational risks of 
companies that are offering products or are using sophisticated risk management 
techniques that are not considered under the existing Rating Group’s capital 
models. The model will also determine these companies’ capital adequacy. The 
primary application of the model will be to analyze specialized financial product 
companies (FPCs) that are subsidiaries of insurance companies or that are credit 
enhanced by insurance companies. . .The model may also be applied to portions of 
insurance companies that control or mitigate their risks to a greater extent than is 
implied by the capital charges applied in the standard life/health capital adequacy 
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model, which bases charges for interest-rate risk and credit risk on industry 
averages and liability types rather than company-specific exposure.” 

□ NAIC — The National Association of Insurance Commissioners: 

— Risk-Based Capital (RBC) — Following a detailed examination of the 
growing diversity of business practices of insurance companies conducted in 
1990, the NAIC concluded that minimum capital requirements placed on 
companies needed to be increased to protect consumers. The NAIC adopted 
life/health risk-based capital requirements in December 1992 and adopted 
property/casualty risk-based capital requirements in December 1993. 

Although risks involved in these two segments of the industry are very 
different, the NAIC was able to develop a consistent two-step approach to 
setting risk-based capital requirements for individual companies: 

- Step 1 involves the calculation of a company’s capital requirement and 
total adjusted capital, based on formulas developed by NAIC for each 
industry. 

- Step 2 calls for comparison of a company’s total adjusted capital against 
the risk-based capital requirement to detennine if regulatory action is 
called for, under provisions of the Risk-Based Capital for Insurers Model 
Act. The model law sets the points at which a commissioner is authorized 
and expected to take regulatory action. 

— Interest rate risk — the NAIC’s Life Risk-Based Capital Working Group, in 
conjunction with the American Academy of Actuaries Life Risk-Based 
Capital Task Force, has finalized the development of an improved method for 
measuring a company’s interest-rate risk. The method, which is effective for 
the year-end 2000 statements, “incorporates a cash-flow testing requirement 
for annuity and single premium life products and makes the RBC C-3a 
calculation more consistent with recent industry advances in dynamic cash- 
flow testing. . .The task force has recognized the need to accurately incorporate 
these additional risks into the RBC formula. They have stated that equity 
indexed annuities (EIAs) and variable products with secondary guarantees 
will be incorporated in a future C-3a update. This would be consistent with 
the task force’s goal of upgrading C-3a from a measure of interest-rate risk to 
a more complete measure of asset/liability risk.” 

□ Australian Prudential Regulation Authority (APRA) — a feature of ongoing 
reforms to the regulation of general insurers is a layer of four standards covering 
the subjects of capital adequacy, liability valuation, reinsurance arrangements and 
operational risk. APRA is implementing an approach based on development of, 
and compliance with, a range of risk management strategies. These strategies will 
need to deal with the myriad interlocking risks involved in managing a general 
insurance company. Each company will need to have its strategy agreed upon by 
APRA and will then be responsible for managing compliance. APRA has made it 
clear that an internal enterprise risk model with appropriate specifications will go 
a long way toward meeting compliance objectives. 
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Appendix B — A Continuum of Risk Modeling Methods 


Figure A - There is a continuum of methods for modeling risks. Each method has 
advantages/disadvantages over others, so it’s important to select the best methods based on facts and 
circumstances 
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There is a continuum of methods for developing probability distributions. The choice of 
method depends significantly on the amount and type of historical data that is available. 
The methods also require varying analytical skills and experience. Each method has 
advantages and disadvantages over the other methods, so it is important to match the 
method to the facts and circumstances of the particular risk type. 

We have loosely organized the modeling methods into three categories: 

■ Methods based primarily on analysis of historical data 

■ Methods based on a combination of historical data and expert input 

■ Methods based primarily on expert input 

Methods Based Primarily on Analysis of Historical Data 

These methods are the most appropriate when there is enough historical data to apply 
standard statistical approaches to develop probability distributions. Typically several 
years of high-frequency data are necessary. These methods are most often used to model 
risks that are traded in the financial markets such as interest rate, foreign exchange, asset 
risks, claims and the like. 

Empirical Distributions 

The simplest and the most direct approach is to assume that the historical data fully 
defines the probability distribution. Then the data can be used directly to develop a 
discrete probability distribution. Of course the danger is in assuming that the data is 
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complete and the time period over which the data is gathered is long enough to have 
“seen” or experienced the full range of outcomes. 

Fit Parameters of Theoretical Probability Density Functions 

An alternative to empirical distributions is to assume that the risk can be described by a 
theoretical probability density function. Then the data is used to estimate the parameters 
of the theoretical distribution. For example, for property/casualty claims, the frequency 
of claims is often assumed to follow either a Poisson or negative binomial distribution 
whereas the severity of claims is often assumed to follow a lognormal or a Pareto (for 
conditional claim or tail distribution). 

Stochastic Differential Equations (SDE) 

A Stochastic Differential Equation (SDE) expresses the difference (or change) in the 
value of a variable (e.g., interest rate) at time t and the value one time period later, t +1. 
It’s a stochastic differential equation because the difference is expressed as a 
combination of a predictable change and an uncertain or random change during the time 
period. The random change is represented as a random variable with a specified 
probability distribution (typically normal distribution). Starting with an initial value, the 
SDE is used to iteratively determine a scenario of how the value changes over a forecast 
period (e.g., 10 years). Hundreds or possibly thousands of scenarios are generated in this 
way. The scenarios can then be summarized as probability distributions for each point in 
time over the forecast period. See the ERM bibliography for helpful publications that 
provide more detail on use of SDEs to model risk. 

Extreme Value Theory 

In risk management, often the most important part of a probability distribution is the tail 
representing the downside risk. The tail distribution is used to determine capital and 
shortfall risk constraints for optimizing strategies. However, most risk modeling methods 
focus on accurately representing the main body of the distribution. Extreme Value 
Theory (EVT) is a technique for increasing the accuracy with which to model the 
probability of large values in the tail distribution. EVT is devoted to the modeling and 
estimating the behavior of rare events. Different EVT models and techniques have been 
developed and applied to deal with some environmental issues like sea levels, wind 
speeds and pollution concentrations, where there is a potential for catastrophic results but 
it happens rarely. Recently, EVT has been used increasingly in finance and insurance. 

The main difficulty of estimating rare events is that in most cases there is a small amount 
of, or even no, data available. The EVT approach is to develop models based on 
asymptotic theory. EVT models the limiting distribution of the extreme values of a 
random variable, which corresponds to the happening of rare events. A description of the 
method is beyond the scope of this document, however, several useful references are 
cited in the bibliography. 
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Regression 

Often it’s necessary and useful to develop a model of a variable by examining its drivers 
or causal variables. A regression equation expresses a dependent variable as a function 
of one or more predictor variables. Regression equations provide managers more 
information on the dynamics underlying a specific risk to help manage, insure or hedge 
the risk. 

Methods Based on a Combination of Historical Data and Expert Input 

Often there is not enough data to reliably quantify risks directly through data analysis. In 
these cases it’s necessary to develop a model of the underlying dynamics that give rise to 
the data. This requires drawing on the experience and knowledge of domain experts to 
fill in the data gaps. The following methods attempt to model the dynamics of a system 
by using a combination of both historical data and expert input. 

System Dynamics Simulation 

System Dynamics is a robust modeling method that explicitly simulates the cause/effect 
relationships underlying the dynamics of system. The approach leverages both existing 
historical data and the knowledge and experience of senior managers to develop a 
stochastic simulation model. The model is used to run Monte Carlo simulations and 
develop probability distributions for the variable of interest. 

The System Dynamics approach has several advantages over parametric approaches 
described above, particularly for modeling operational risks: 

■ It provides a systematic way to fill any gaps in historical data with input from experts 
relying on their knowledge and experience. This is applicable particularly for 
modeling operational risks where it’s often the case that there isn’t enough 
representative data to apply the statistical methods described above. 

■ It provides a way to determine how operational risks change as a function of changes 
in operations. Since the approach explicitly captures the cause/effect linkages, it is 
easier to develop effective ways to mitigate risk and measure their impact than with 
noncausal methods. 

■ As businesses become more complex, knowledge of their underlying dynamics 
becomes more fragmented and localized. Although many managers have a good 
understanding of their own functional areas, few have a solid grasp of the dynamics 
of the entire organization. Obtaining a complete picture, for example, of the sources 
of operational risks and how they affect financial performance, requires the combined 
knowledge of managers across functional areas. The system dynamics approach 
facilitates this interaction through a structured, participative modeling and decision- 
making process. 
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Fuzzy Logic 

In spite of its name, fuzzy logic is a well-established engineering science used 
successfully in control systems and expert reasoning. It is an approach to modeling 
complex systems, where much of the complexity comes from the ambiguous, uncertain or 
undecided representation of the variables of the system. Traditional quantitative models 
tend to interpret reality in binary tenns. For example, imagine a device that identifies if a 
person has a fever. Given the temperature of an individual, a quantitative model 
programmed in the device will use a discrete, binary rule, such as: “if the temperature is 
at or over 103°F then person has a fever, else normal”. Even if it has other categories in 
between, such as “light fever”, it will still use a discrete binary rule to determine whether 
a person falls in the “light fever” category or “fever” category. However, in reality it’s 
clear that there is no precise cut-off for determining whether someone has a fever and the 
boundary between “normal” and “fever” is fuzzy. Fuzzy set theory was developed to 
recognize these gray areas. According to fuzzy set theory, a person with a temperature of 
101.5°F would be classified as having some membership in both categories “normal” and 
“fever”. Fuzzy logic is the reasoning based on fuzzy set theory. 

Fuzzy logic has advantages in modeling complex business problems where linguistic 
variables are used to express the logic rules, the infonnation is subjective, incomplete or 
unreliable, and the problem spaces are often nonlinear. A fuzzy system is closer to the 
way people reason and is therefore often used to build expert systems. The fuzzy nature 
of the rule spaces makes it easy to model multiple, often different or conflicting expert 
views toward the same model variables. In terms of risk modeling and assessment, fuzzy 
logic shows potential to be a good approach in dealing with operational risk, where the 
probability assessment is often based on expert opinion and the risk space is 
multidimensional and highly nonlinear. 

Estimating Probabilities through Expert Testimony 

In extreme cases, there aren’t any data at all. In these cases, one must rely on the 
knowledge and experience of domain experts. Probability distributions for events for 
which there is sparse data can be estimated through expert testimony. A naive method for 
assessing probabilities is to ask the expert, e.g., “What is the probability that a new 
competitor will enter the market?” However, the expert may have difficulty answering 
direct questions and the answers may not be reliable. Behavioral scientists have learned 
from extensive research that the naive method can produce unreliable results because of 
heuristics and biases. For example, individuals tend to estimate higher probabilities for 
events that can be easily recalled or imagined. Individuals also tend to anchor their 
assessments on some obvious or convenient number resulting in distributions that are too 
narrow. (See Clemen, 1996 and von Winterfeldt & Edwards, 1986 in the bibliography 
for further examples). Decision and risk analysts have developed several methods for 
accounting for these biases. Several of these methods are described below. 
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Preference among Bets 

Probabilities are determined by asking the expert to choose which side she prefers on a 
bet on the underlying events. To avoid issues of risk aversion, the amounts wagered 
should not be too large. For example, a choice is offered between the following bet and 
its opposite: 


Bet 

Opposite Side of Bet 

Win $x if a new competitor enters the 

Lose $x if a new competitor enters the 

market 

market 

Lose $y if no new competition 

Win $y if no new competition. 


The payoffs for the bet, amounts $x and $y, are adjusted until the expert is indifferent to 
taking a position on either side of the bet. At this point, the expected values for each side 
of the bet are equal in her mind. Therefore, 

$xP (C) - $y[l-P(C)] = -$xP(C) + $y[l-P(C)] 
where P(C) is the probability of a new competitor entering the market. Solving this 
equality for P(C): 

P(C) = $>’ / ($x + $y) 

For example, if the expert is indifferent to taking a position on either side of the 
following bet: 

Win $900 if a competitor enters the market 
Lose $100 if no new competition 

then the estimated subjective probability of a new competitor entering the market is 
$100/($ 100 + $900) = 0.10. 

Judgments of Relative Likelihood 

This method involves asking the expert to provide information on the likelihood of an 
event relative to a reference lottery. The expert is asked to indicate whether the 
probability of the event occurring is more likely, less likely or equally likely compared to 
a lottery with known probabilities. Typically a spinning wheel (a software 
implementation of the betting wheels in casinos) is used on which a portion of the wheel 
is colored to represent the event occurring. The relative size of the colored portion is 
specified. The expert is asked to indicate whether the event is more, less or equally likely 
to occur than the pointer landing on the colored area if the wheel was spun fairly. The 
colored area is reduced or increased as necessary depending on the answers until the 
expert indicates that the two events are equally likely. This method is often used with 
subjects that are naive about probability assessments. 
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Decomposition to Aid Probability Assessment 

Often, decomposing an event into conditional causal events helps experts assess risk of 
complex systems. The structure of the conditional causal events can be represented by an 
influence diagram. Influence diagrams illustrate the interdependencies between known 
events (inputs), scenarios and uncertainties (intermediate variables) and an event of 
interest (output). An influence diagram model comprises risk nodes representing the 
uncertain conditions surrounding an event or outcome. Relationships among nodes are 
indicated by connecting arrows, referred to as arcs of influence. The graphical display of 
risks and their relationships to process components and outcomes helps users visualize 
the impacts of external uncertainties. 

While this approach increases the number of probability assessments, it also allows input 
from multiple experts or specialists, and helps combine empirical data with subjective 
data. For example, a new competitor entering the market may be decomposed using an 
influence diagram such as this one: 



The probability of a new competitor, P(C) can be estimated, using a Bayesian approach. 
The approach uses “Bayes’ Rule” which is a formal, optimal equation for the revision of 
probabilities in light of new evidence contained in conditional or causal probabilities. 

P '(C) = P(C/ 1 Ru Ti ) P(R„ Ti ) 

where i is a product index, P(R„ 7) ) is the joint probability of an adverse change in 
regulation and introduction of new technology, and P(C, | R,, Ti ) is the conditional 
probability of a new competitor entering a market for product i. This formula is useful 
when assessing the conditional probabilities P(C, | R/, Tj ) and is easier than a direct 
calculation of P(C). 

Several different experts may be asked to assess the conditional and joint probabilities. 
For example, one expert (or group of experts) may assess the probability of adverse 
regulation for a specific product, another expert may assess probability of introduction of 
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new technology and a third may assess the probability of a new competitor given the state 
of new regulation and technology. 

The Delphi Technique 

Scientists at the Rand Institute developed the “Delphi process” in the 1950’s for 
forecasting future military scenarios. Since then it has been used as a generic strategy for 
developing consensus and making group decisions, and can be used to assess 
probabilities from a group of individuals. This process structures group communication, 
and usually involves anonymity of responses, feedback to the group as collective views, 
and the opportunity for any respondent to modify an earlier judgment. The Delphi 
process leader poses a series of questions to a group; the answers are tabulated and the 
results are used to fonn the basis for the next round. Through several iterations, the 
process synthesizes the responses, resulting in a consensus that reflects the participants’ 
combined intuition, experience and expert knowledge. 

The Delphi technique can be used to explore or expose underlying assumptions or 
information leading to differing judgments and to synthesize informed judgments on a 
topic spanning a wide range of disciplines. It is useful for problems that can benefit from 
subjective judgments on a collective basis. 

Pitfalls and Biases 

Estimating subjective probabilities is never as straightforward as implied in the 
description of the methods above. There are several pitfalls and biases to be aware of: 

None of the methods works extremely well by itself. Typically, multiple techniques must 
be used. To increase consistency, experts should be asked to assess both the probability 
of an event and, separately, the probability of the complement of the event. The two 
should always add up to 1.0; however, in practice they seldom do without repeated 
application of the assessment method. The events must be defined clearly to eliminate 
ambiguity. “What is the probability of a new competitor entering the market?” is an 
ambiguous question. “What is the probability that a new competitor will take more than 
5% market share of product A in the next two years?” is much less ambiguous and more 
clearly defines the event. When assessing probabilities for rare events, it is generally 
better to assess odds. Odds of event E is [P(fT) / P(complement of E)\. 

Note : This appendix was reproduced from the Tillinghast - Towers Perrin monograph 
RiskV aluelnsights® : Creating Value Through Enterprise Risk Management, 
(http://www.tillinghast.com). 
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